gantsign/ktlint-maven-plugin

Vulnerabilities

2 via 7 paths

Dependencies

88

Source

GitHub

Commit

0912d6d6

Find, fix and prevent vulnerabilities in your code.

Severity
  • 1
  • 1
Status
  • 2
  • 0
  • 0

high severity

Command Injection

  • Vulnerable module: org.apache.maven.shared:maven-shared-utils
  • Introduced through: org.apache.maven.shared:maven-shared-utils@3.2.1 and org.apache.maven.reporting:maven-reporting-impl@3.0.0

Detailed paths

  • Introduced through: gantsign/ktlint-maven-plugin@gantsign/ktlint-maven-plugin#0912d6d677b601c338f6c80ee976796fbfbd15b5 org.apache.maven.shared:maven-shared-utils@3.2.1
  • Introduced through: gantsign/ktlint-maven-plugin@gantsign/ktlint-maven-plugin#0912d6d677b601c338f6c80ee976796fbfbd15b5 org.apache.maven.reporting:maven-reporting-impl@3.0.0 org.apache.maven.shared:maven-shared-utils@3.2.1
  • Introduced through: gantsign/ktlint-maven-plugin@gantsign/ktlint-maven-plugin#0912d6d677b601c338f6c80ee976796fbfbd15b5 org.apache.maven.reporting:maven-reporting-impl@3.0.0 org.apache.maven:maven-core@3.5.4 org.apache.maven.shared:maven-shared-utils@3.2.1

Overview

org.apache.maven.shared:maven-shared-utils is a functional replacement for plexus-utils in Maven.

Affected versions of this package are vulnerable to Command Injection. The Commandline class can emit double-quoted strings without proper escaping, allowing shell injection attacks. The BourneShell class should unconditionally single-quote emitted strings (including the name of the command itself being quoted), with {{'"'"'}} used for embedded single quotes, for maximum safety across shells implementing a superset of POSIX quoting rules.

This is a similar issue to SNYK-JAVA-ORGCODEHAUSPLEXUS-31522

Remediation

There is no fixed version for org.apache.maven.shared:maven-shared-utils.

References

low severity

Information Exposure

  • Vulnerable module: commons-codec:commons-codec
  • Introduced through: org.apache.maven.doxia:doxia-core@1.9.1, com.github.gantsign.maven.doxia:doxia-sink-api-ktx@1.1.0 and others

Detailed paths

  • Introduced through: gantsign/ktlint-maven-plugin@gantsign/ktlint-maven-plugin#0912d6d677b601c338f6c80ee976796fbfbd15b5 org.apache.maven.doxia:doxia-core@1.9.1 org.apache.httpcomponents:httpclient@4.5.12 commons-codec:commons-codec@1.11
  • Introduced through: gantsign/ktlint-maven-plugin@gantsign/ktlint-maven-plugin#0912d6d677b601c338f6c80ee976796fbfbd15b5 com.github.gantsign.maven.doxia:doxia-sink-api-ktx@1.1.0 org.apache.maven.doxia:doxia-core@1.9.1 org.apache.httpcomponents:httpclient@4.5.12 commons-codec:commons-codec@1.11
  • Introduced through: gantsign/ktlint-maven-plugin@gantsign/ktlint-maven-plugin#0912d6d677b601c338f6c80ee976796fbfbd15b5 org.apache.maven.reporting:maven-reporting-impl@3.0.0 org.apache.maven.doxia:doxia-core@1.9.1 org.apache.httpcomponents:httpclient@4.5.12 commons-codec:commons-codec@1.11
  • Introduced through: gantsign/ktlint-maven-plugin@gantsign/ktlint-maven-plugin#0912d6d677b601c338f6c80ee976796fbfbd15b5 org.apache.maven.reporting:maven-reporting-impl@3.0.0 org.apache.maven.doxia:doxia-site-renderer@1.7.4 org.apache.maven.doxia:doxia-core@1.9.1 org.apache.httpcomponents:httpclient@4.5.12 commons-codec:commons-codec@1.11

Overview

commons-codec:commons-codec is a package that contains simple encoder and decoders for various formats such as Base64 and Hexadecimal.

Affected versions of this package are vulnerable to Information Exposure. When there is no byte array value that can be encoded into a string the Base32 implementation does not reject it, and instead decodes it into an arbitrary value which can be re-encoded again using the same implementation. This allows for information exposure exploits such as tunneling additional information via seemingly valid base 32 strings.

Remediation

Upgrade commons-codec:commons-codec to version 1.13 or higher.

References